Unchecked buffer overrun in enc_untrusted_inet_pton

Vulnerability

The vulnerability exists in the enc_untrusted_inet_pton function in Asylo versions up to 0.6.0. The function does not check the size of the attacker-controlled klinux_addr_buffer parameter, allowing an attacker to specify a buffer larger than expected. This leads to an arbitrary memory read when the function copies data from klinux_addr_buffer to the output buffer, potentially reading memory outside the intended buffer [1].

Exploitation

An untrusted attacker can trigger the vulnerability by calling enc_untrusted_inet_pton with a crafted klinux_addr_buffer pointer and size. The attacker controls the buffer size, and if it is larger than the expected klinux_in_addr or klinux_in6_addr structure, the memcpy will read beyond the intended boundaries. No authentication or special privileges are required; the attacker only needs the ability to make the function call.

Impact

Successful exploitation allows the attacker to read arbitrary memory, including memory within the secure enclave. This compromises the confidentiality of sensitive data stored in the enclave, potentially exposing cryptographic keys, secrets, or other protected information.

Mitigation

The issue is fixed in commit 8fed5e334131abaf9c5e17307642fbf6ce4a57ec [1], which adds size checks for the buffer based on the address family (AF_INET or AF_INET6). Users should upgrade to a version of Asylo that includes this patch. No workaround is available for versions prior to the fix.